Joseph Watson <[EMAIL PROTECTED]> writes:
> Hello,
>
> I am usring Mandrakes SNF, and am trying to get bind working
> behind this firewall using port forwarding and forwarding port 53, both
> udp and tcp, through to me bind server. In testing, outgoing connections
> through this firewall by both the server and clients worked great. But
> any server or client on the internet trying to access my DNS server got no
> responce??? I noticed packet bing denied on the firewall that were up in
> the 65000 range, but dismissed this as something else. But I just came
> across something that made me think this may be linked???? I found the
> following snip in the default /etc/named.conf file that came with a
> Mandrake 8.1 install:
>
>
>
> /*
> * If there is a firewall between you and nameservers you want
> * to talk to, you might need to uncomment the query-source
> * directive below. Previous versions of BIND always asked
> * questions using port 53, but BIND 8.1 uses an unprivileged
> * port by default.
> */
> // query-source address * port 53;
>
>
> This seems to be self explanitory, but how do I open up the unprivliged
> ports to make this work???? or am I seeing this thing wrong??
Hello,
you have found an interresting subject about the old SNF firewall. :o)
First, let me laugh while reading that some people have switched right
away to RedHat. This sound like blackmail. :o)
Please have in mind that the SNF was designed for small offices and
therefore a public DNS was not considered to be a priority.
_�I_�t _�a_�p_�p_�e_�a_�r_�s _�t_�h_�a_�t _�o_�n_�e _�c_�a_�n_�n_�o_�t _�d_�o
_�U_�D_�P _�p_�o_�r_�t _�f_�o_�r_�w_�a_�r_�d_�i_�n_�g _�w_�i_�t_�h _�S_�N_�F
_�u_�s_�i_�n_�g _�t_�h_�e _�w_�e_�b
_�i_�n_�t_�e_�r_�f_�a_�c_�e_�. Unless you want me to do a patch
and update the packages :o)
Why it doesn't work ?
For the port forwarding we're using ipvsadm and a nice program called
iptoip which uses an xml configuration file called /etc/iptoip.xml.
The problem is that iptoip was using only the TCP protocol. This was
hard-coded in the /usr/sbin/iptoip perl script:
check this out:
sub update_ipvs { ## update ipvsadm table with
## specifief $ip, $DEST_IP, and $PORT
system "/sbin/ipvsadm -A -t $ip:$PORT -s wlc";
system "/sbin/ipvsadm -a -t $ip:$PORT -r $DEST_IP:$PORT -m";
}
How can this be done then, you may ask ?
Answer ? For the moment this can be done .... by hand. :)
you can simply edit the /etc/sysconfig/lvs file on an old SNF.
here is an example
10.1.1.1 is the external address of the firewall and
192.168.10.2 is the address of the DNS, somewhere inside the local LAN.
# forward the ssh connexions
-A -t 10.1.1.1:22 -s rr
-a -t 10.1.1.1:22 -r 192.168.10.2:22 -m -w 1
#forward the domain, DNS, used in the case of a DNS client
-A -u 10.1.1.1:53 -s rr
-a -u 10.1.1.1:53 -r 192.168.10.2:53 -m -w 1
(you might not need the last section)
#forward the domain, DNS, used in the case of a DNS servers for zone transfer
-A -t 10.1.1.1:53 -s rr
-a -t 10.1.1.1:53 -r 192.168.10.2:53 -m -w 1
ok, how do I check what do I forward ?
[root@oldSNF /root]# ipvsadm -L
IP Virtual Server version 1.0.6 (size=4096)
Prot LocalAddress:Port Scheduler Flags
-> RemoteAddress:Port Forward Weight ActiveConn InActConn
TCP sunlight.mandrakesoft.com:domain rr
-> 192.168.10.2:domain Masq 1 0 0
UDP sunlight.mandrakesoft.com:domain rr
-> 192.168.10.2:domain Masq 1 0 0
TCP sunlight.mandrakesoft.com:ssh wlc
-> 192.168.10.2:ssh Masq 1 0 0
you may now check this from the external lan using dig or the obsoleted
nslookup, etc.
this method may apply to ntp, 123 udp and tcp ports
all the comments, are welcomed,
--
Florin http://www.mandrakesoft.com
